Re: Do I need these services listening?

rodlinkowitz_at_whale-mail.com
Date: 03/15/05 

Date: 14 Mar 2005 20:01:27 -0800

Gerald Vogt wrote:
> rodlinkowitz@whale-mail.com wrote:

> I try to describe how I think you should set it up: You connect the
dsl
> modem to the WAN port of the Netgear and connect each computer to the

> Netgear. There is no direct connection between the computers but all
the
> traffic goes through the netgear which then will provide the internet

> connection to both and will also exchange the traffic between both
> computers. (The Netgear includes a switch which does exactly that).

Well, that's exactly how my system is set up. Each computer has one NIC
card, the modem is plugged into the Netgear's WAN port, and each
computer is plugged into the router's LAN port via Cat 6 cable, as well
as their own NIC card. I may not have used the 'right' terminology
perhaps to describe it, in previous posts. Of course, its only the
first computer that has the modem & router, so I call the second one
the "client". I do not use ICS and have no need to, and as is standard,
both machines have a distinct private IP address, with the server also
having a public address from my ISP.

> You should not be able to scan a private IP address because no
scanner
> can find it. A private IP address is usually drop at any router in
> between. That's why they are private. You can only scan the public
> address. If you scan from computer 2 all you should be able to scan
> under normal circumstances is computer 1 which has the public IP
> address. Can you elaborate which "software scanning programs" you
used?
> When I usually think of port scanners I think of some online service
> that scans your ports like grc.com which you have mentioned somewhere

> else. These online scanners give you a fairly accurate look how it
looks
> from the internet. These online scans are the only really interesting

> ones as any software which you would install locally to scan your
> computer can mostly give you look from the inside which is different.

Well that's what I was thinking... but I figured (with my limited
understanding of network security), that if the ports look closed even
to an internal port scanner, they are for sure going to be unaccessible
to the internet. The problem of course is when I configured my router
to close
open ports like 25 & 110, which the software scanners were saying were
open to the net, I could
no longer send or receive mail! But I also told the router to close
ports 135-139 and 445, and so
far, I can't determine any bad effects from this. My pc-to-pc
connection still seems to work ok.

Some of the software port scanners I used include: Moorer Port Scanner,
PCSuperScanner, Free Port Scanner,
Super Scan 4, PC Scanner, Local Port Scanner and Advanced Port Scanner
(this last one is in my estimation,
the best free scanner I've come across). I AM able to scan my private
IP on the second (client) computer using
Advanced Port Scanner, by entering its IP address. I'm also able to
scan my public IP address with APS, and in
this case, it even tells me the proper host name of my ISP, which seems
to indicate it is scanning my system as
would an online scanner, via my public IP address. The results I get
however are no different than when I enter the
WAN IP address given by my ISP. Which is why I remain unsure as to
whether the open ports and listening services
can be "heard" from the net.

> O.K. At this time I don't worry about the 135, 139, 445 which are
normal
> to be open under normal circumstances.

That's what I thought... except I do tend to worry about 135, because I
got hit by a WORM through that port, and if it needs to remain open, I
want to be sure there is no way it can be accessed by anything outside
my LAN. (To this
effect, I blocked off the port via my router, and have created rules in
my firewalls to further block it out).

> I worry more about the 25 and 110
> which is a SMTP server and POP server. Both, you say, you don't run
but
> only use the normal client use. Even with your Internet Connection
> Sharing in between, no computer should report open ports 25 and 110
> unless it is running the servers. This does worry me in your case.
Under
> normal circumstances I would say that this indicates some malware on
> your computer playing smtp relay or worse...

I'm quite sure I have no malware, that this system is clean. And that
like you say, some ports are normal to be open. I found your netstat
command gave me exactly the same results as my "WhoIsListening" port
monitor, except WIL is more detailed (and prettier). It can also alert
you whenever a program initiates a new connection. And this dual
corroboration means that no malware program replaced my netstat.
Anyway, they both show there are 5 TCP ports listening (with a remote
address port of 0.0.0.0.0, which seems to indicate they are not
trojans). They are:

1110

1125 (these two ports are used by my anti-virus, Kaspersky)

epmap (port 135! Use for "DCE Endpoint Resolution" (whatever that is),
and also by
          a number of WORMS!)

microsoft-ds (port 445 Used by "Microsoft-DS" (whatever that is), and
also by a number of WORMS!)

netbios-ssn (I believe this is port 139, and its necessary for
communication between the two machines in my LAN)

Note that neither netsat or WIL list ports 25 and 110 (they don't show
up at all, neither as listening or open). It is only from the scan of
all 65535 ports with Advanced Port Scanner, that it told me the only
two ports open were 25 and 110. But as I said, when I tried to close
these ports through the Netgear, I couldn't use my email (which is why
I had figured would happen!). When I think about it, I don't see how I
can close those ports off to the net, and still expect to send and
retrieve email at will.

> telnet 65.93.127.22 smtp

Neat. Another trick I didn't know about. Gotta thank you for your part
in my education of net security, Gerald. Anyway, this didn't show
anything, no message came up, it just returned to the command prompt. I
guess this confirms I'm not running a mail server! So should I be
worrying about
ports 135 and 445 listening?

Relevant Pages